mirror of
https://github.com/angristan/openvpn-install.git
synced 2024-11-22 00:39:03 +01:00
Add self-hosted DNS resolver (Unbound)
This commit is contained in:
parent
30edb7b769
commit
f057e0aa5f
@ -98,6 +98,7 @@ The script will ask you which DNS resolvers you want to use when connected to th
|
||||
Here are the possibilities :
|
||||
|
||||
- Current system resolvers, those that are in `/etc/resolv.conf`
|
||||
- Self-hosted resolver thanks to Unbound
|
||||
- [Cloudflare](https://1.1.1.1/), recommended, fastest resolvers available (Anycast servers)
|
||||
- [Quad9](https://www.quad9.net), recommended, security and privacy oriented, fast worldwide (Anycast servers)
|
||||
- [FDN's DNS Servers](http://www.fdn.fr/actions/dns/), recommended if you're in western europe (France)
|
||||
@ -106,7 +107,6 @@ Here are the possibilities :
|
||||
- [Google Public DNS](https://en.wikipedia.org/wiki/Google_Public_DNS), not recommended, but fast worldwide (Anycast servers)
|
||||
- [Yandex Basic DNS](https://dns.yandex.com/), not recommended, but fast in Russia
|
||||
- [AdGuard DNS](https://github.com/AdguardTeam/AdguardDNS), located in Russia, blocks ads and trackers
|
||||
- Soon : local resolver :D
|
||||
|
||||
Any other fast, trustable and neutral servers proposition is welcome.
|
||||
|
||||
|
@ -91,6 +91,109 @@ newclient () {
|
||||
} >> "$homeDir/$1.ovpn"
|
||||
}
|
||||
|
||||
function installLocalDNS () {
|
||||
if [[ ! -e /etc/unbound/unbound.conf ]]; then
|
||||
|
||||
if [[ "$OS" = "debian" ]]; then
|
||||
apt-get install -y unbound
|
||||
|
||||
echo 'interface: 10.8.0.1
|
||||
access-control: 10.8.0.1/24 allow
|
||||
hide-identity: yes
|
||||
hide-version: yes
|
||||
use-caps-for-id: yes
|
||||
prefetch: yes' >> /etc/unbound/unbound.conf
|
||||
|
||||
elif [[ "$OS" = "centos" ]]; then
|
||||
yum install -y unbound
|
||||
|
||||
# Configuration
|
||||
sed -i 's|# interface: 0.0.0.0$|interface: 10.8.0.1|' /etc/unbound/unbound.conf
|
||||
sed -i 's|# access-control: 127.0.0.0/8 allow|access-control: 10.8.0.1/24 allow|' /etc/unbound/unbound.conf
|
||||
sed -i 's|# hide-identity: no|hide-identity: yes|' /etc/unbound/unbound.conf
|
||||
sed -i 's|# hide-version: no|hide-version: yes|' /etc/unbound/unbound.conf
|
||||
sed -i 's|use-caps-for-id: no|use-caps-for-id: yes|' /etc/unbound/unbound.conf
|
||||
|
||||
elif [[ "$OS" = "fedora" ]]; then
|
||||
dnf install -y unbound
|
||||
|
||||
# Configuration
|
||||
sed -i 's|# interface: 0.0.0.0$|interface: 10.8.0.1|' /etc/unbound/unbound.conf
|
||||
sed -i 's|# access-control: 127.0.0.0/8 allow|access-control: 10.8.0.1/24 allow|' /etc/unbound/unbound.conf
|
||||
sed -i 's|# hide-identity: no|hide-identity: yes|' /etc/unbound/unbound.conf
|
||||
sed -i 's|# hide-version: no|hide-version: yes|' /etc/unbound/unbound.conf
|
||||
sed -i 's|# use-caps-for-id: no|use-caps-for-id: yes|' /etc/unbound/unbound.conf
|
||||
|
||||
elif [[ "$OS" = "arch" ]]; then
|
||||
# Install Unbound
|
||||
pacman -Syu unbound expat
|
||||
|
||||
#Permissions for the DNSSEC keys
|
||||
chown root:unbound /etc/unbound
|
||||
chmod 775 /etc/unbound
|
||||
|
||||
# Get root servers list
|
||||
wget https://www.internic.net/domain/named.root -O /etc/unbound/root.hints
|
||||
|
||||
# Configuration
|
||||
mv /etc/unbound/unbound.conf /etc/unbound/unbound.conf.old
|
||||
echo 'server:
|
||||
root-hints: root.hints
|
||||
auto-trust-anchor-file: trusted-key.key
|
||||
interface: 10.8.0.1
|
||||
access-control: 10.8.0.1/24 allow
|
||||
port: 53
|
||||
do-daemonize: yes
|
||||
num-threads: 2
|
||||
use-caps-for-id: yes
|
||||
harden-glue: yes
|
||||
hide-identity: yes
|
||||
hide-version: yes
|
||||
qname-minimisation: yes
|
||||
prefetch: yes' > /etc/unbound/unbound.conf
|
||||
fi
|
||||
|
||||
if [[ ! "$OS" =~ (fedora|centos) ]];then
|
||||
# DNS Rebinding fix
|
||||
echo "private-address: 10.0.0.0/8
|
||||
private-address: 172.16.0.0/12
|
||||
private-address: 192.168.0.0/16
|
||||
private-address: 169.254.0.0/16
|
||||
private-address: fd00::/8
|
||||
private-address: fe80::/10
|
||||
private-address: 127.0.0.0/8
|
||||
private-address: ::ffff:0:0/96" >> /etc/unbound/unbound.conf
|
||||
fi
|
||||
else
|
||||
# Unbound is already installed
|
||||
echo 'include: /etc/unbound/openvpn.conf' >> /etc/unbound/unbound.conf
|
||||
|
||||
# Add OpenVPN integration
|
||||
echo 'server:
|
||||
interface: 10.8.0.1
|
||||
access-control: 10.8.0.1/24 allow
|
||||
hide-identity: yes
|
||||
hide-version: yes
|
||||
use-caps-for-id: yes
|
||||
prefetch: yes
|
||||
private-address: 10.0.0.0/8
|
||||
private-address: 172.16.0.0/12
|
||||
private-address: 192.168.0.0/16
|
||||
private-address: 169.254.0.0/16
|
||||
private-address: fd00::/8
|
||||
private-address: fe80::/10
|
||||
private-address: 127.0.0.0/8
|
||||
private-address: ::ffff:0:0/96' > /etc/unbound/openvpn.conf
|
||||
fi
|
||||
|
||||
if pgrep systemd-journal; then
|
||||
systemctl enable unbound
|
||||
systemctl start unbound
|
||||
else
|
||||
service unbound restart
|
||||
fi
|
||||
}
|
||||
|
||||
# Get Internet network interface with default route
|
||||
NIC=$(ip -4 route ls | grep default | grep -Po '(?<=dev )(\S+)' | head -1)
|
||||
|
||||
@ -225,6 +328,37 @@ if [[ -e /etc/openvpn/server.conf ]]; then
|
||||
done
|
||||
rm -rf /etc/openvpn
|
||||
rm -rf /usr/share/doc/openvpn*
|
||||
|
||||
if [[ -e /etc/unbound/openvpn.conf ]]; then
|
||||
|
||||
# Remove OpenVPN-related config
|
||||
sed -i 's|include: \/etc\/unbound\/openvpn.conf||' /etc/unbound/unbound.conf
|
||||
rm /etc/unbound/openvpn.conf
|
||||
service unbound restart
|
||||
|
||||
until [[ $REMOVE_UNBOUND == "y" || $REMOVE_UNBOUND == "n" ]]; do
|
||||
echo ""
|
||||
echo "If you were already using Unbound before installing OpenVPN, I removed the configuration related to OpenVPN."
|
||||
echo "You can keep using Unbound as before."
|
||||
read -rp "Do you want to completely remove Unbound? [y/n]: " -e REMOVE_UNBOUND
|
||||
done
|
||||
|
||||
if [[ "$REMOVE_UNBOUND" = 'y' ]]; then
|
||||
if [[ "$OS" = 'debian' ]]; then
|
||||
apt-get autoremove --purge -y unbound
|
||||
elif [[ "$OS" = 'arch' ]]; then
|
||||
pacman -R unbound --noconfirm
|
||||
else
|
||||
yum remove unbound -y
|
||||
fi
|
||||
|
||||
echo ""
|
||||
echo "Unbound removed!"
|
||||
else
|
||||
echo ""
|
||||
echo "Unbound not removed!"
|
||||
fi
|
||||
fi
|
||||
echo ""
|
||||
echo "OpenVPN removed!"
|
||||
else
|
||||
@ -291,16 +425,33 @@ else
|
||||
echo ""
|
||||
echo "What DNS do you want to use with the VPN?"
|
||||
echo " 1) Current system resolvers (from /etc/resolv.conf)"
|
||||
echo " 2) Cloudflare (Anycast: worldwide)"
|
||||
echo " 3) Quad9 (Anycast: worldwide)"
|
||||
echo " 4) FDN (France)"
|
||||
echo " 5) DNS.WATCH (Germany)"
|
||||
echo " 6) OpenDNS (Anycast: worldwide)"
|
||||
echo " 7) Google (Anycast: worldwide)"
|
||||
echo " 8) Yandex Basic (Russia)"
|
||||
echo " 9) AdGuard DNS (Russia)"
|
||||
until [[ "$DNS" =~ ^[0-9]+$ ]] && [ "$DNS" -ge 1 -a "$DNS" -le 9 ]; do
|
||||
read -rp "DNS [1-9]: " -e -i 1 DNS
|
||||
echo " 2) Self-hosted DNS Resolver (Unbound)"
|
||||
echo " 3) Cloudflare (Anycast: worldwide)"
|
||||
echo " 4) Quad9 (Anycast: worldwide)"
|
||||
echo " 5) FDN (France)"
|
||||
echo " 6) DNS.WATCH (Germany)"
|
||||
echo " 7) OpenDNS (Anycast: worldwide)"
|
||||
echo " 8) Google (Anycast: worldwide)"
|
||||
echo " 9) Yandex Basic (Russia)"
|
||||
echo " 10) AdGuard DNS (Russia)"
|
||||
until [[ "$DNS" =~ ^[0-9]+$ ]] && [ "$DNS" -ge 1 -a "$DNS" -le 10 ]; do
|
||||
read -rp "DNS [1-10]: " -e -i 1 DNS
|
||||
if [[ $DNS == 2 ]] && [[ -e /etc/unbound/unbound.conf ]]; then
|
||||
echo ""
|
||||
echo "Unbound is already installed."
|
||||
echo "You can allow the script to configure it in order to use it from your OpenVPN clients"
|
||||
echo "We will simply add a second server to /etc/unbound/unbound.conf for the OpenVPN subnet."
|
||||
echo "No changes are made to the current configuration."
|
||||
echo ""
|
||||
|
||||
while [[ $CONTINUE != "y" && $CONTINUE != "n" ]]; do
|
||||
read -rp "Apply configuration changes to Unbound? [y/n]: " -e CONTINUE
|
||||
done
|
||||
if [[ $CONTINUE = "n" ]];then
|
||||
DNS=""
|
||||
CONTINUE=""
|
||||
fi
|
||||
fi
|
||||
done
|
||||
echo ""
|
||||
echo "See https://github.com/Angristan/OpenVPN-install#encryption to learn more about "
|
||||
@ -591,35 +742,40 @@ ifconfig-pool-persist ipp.txt" >> /etc/openvpn/server.conf
|
||||
echo "push \"dhcp-option DNS $line\"" >> /etc/openvpn/server.conf
|
||||
done
|
||||
;;
|
||||
2) # Cloudflare
|
||||
2)
|
||||
# Install Unbound
|
||||
installLocalDNS
|
||||
echo 'push "dhcp-option DNS 10.8.0.1"' >> /etc/openvpn/server.conf
|
||||
;;
|
||||
3) # Cloudflare
|
||||
echo 'push "dhcp-option DNS 1.0.0.1"' >> /etc/openvpn/server.conf
|
||||
echo 'push "dhcp-option DNS 1.1.1.1"' >> /etc/openvpn/server.conf
|
||||
;;
|
||||
3) # Quad9
|
||||
4) # Quad9
|
||||
echo 'push "dhcp-option DNS 9.9.9.9"' >> /etc/openvpn/server.conf
|
||||
echo 'push "dhcp-option DNS 149.112.112.112"' >> /etc/openvpn/server.conf
|
||||
;;
|
||||
4) # FDN
|
||||
5) # FDN
|
||||
echo 'push "dhcp-option DNS 80.67.169.40"' >> /etc/openvpn/server.conf
|
||||
echo 'push "dhcp-option DNS 80.67.169.12"' >> /etc/openvpn/server.conf
|
||||
;;
|
||||
5) # DNS.WATCH
|
||||
6) # DNS.WATCH
|
||||
echo 'push "dhcp-option DNS 84.200.69.80"' >> /etc/openvpn/server.conf
|
||||
echo 'push "dhcp-option DNS 84.200.70.40"' >> /etc/openvpn/server.conf
|
||||
;;
|
||||
6) # OpenDNS
|
||||
7) # OpenDNS
|
||||
echo 'push "dhcp-option DNS 208.67.222.222"' >> /etc/openvpn/server.conf
|
||||
echo 'push "dhcp-option DNS 208.67.220.220"' >> /etc/openvpn/server.conf
|
||||
;;
|
||||
7) # Google
|
||||
8) # Google
|
||||
echo 'push "dhcp-option DNS 8.8.8.8"' >> /etc/openvpn/server.conf
|
||||
echo 'push "dhcp-option DNS 8.8.4.4"' >> /etc/openvpn/server.conf
|
||||
;;
|
||||
8) # Yandex Basic
|
||||
9) # Yandex Basic
|
||||
echo 'push "dhcp-option DNS 77.88.8.8"' >> /etc/openvpn/server.conf
|
||||
echo 'push "dhcp-option DNS 77.88.8.1"' >> /etc/openvpn/server.conf
|
||||
;;
|
||||
9) # AdGuard DNS
|
||||
10) # AdGuard DNS
|
||||
echo 'push "dhcp-option DNS 176.103.130.130"' >> /etc/openvpn/server.conf
|
||||
echo 'push "dhcp-option DNS 176.103.130.131"' >> /etc/openvpn/server.conf
|
||||
;;
|
||||
|
Loading…
Reference in New Issue
Block a user